Photo Credit: loco's photos via Compfight cc
In the NFL, the quarterback is king. It’s the highest paid and most important position, because a top quarterback can make a mediocre team into title contenders overnight. Equally, a poor choice at quarterback can hobble a team until they’re replaced at a cost of millions of dollars – it cost the Oakland Raiders $39.4m to release the one-time quarterback prodigy JaMarcus Russell. It’s a position where successful college players are turned into much-hyped superheroes, only to be discarded when the next guy with “a cannon for an arm” proves to be a bust.
Almost all analysts agree that, just below the relatively obvious requirement to throw the ball accurately, one of the many ingredients in a top quarterback is the courage to look downfield. The quarterback has to keep his eyes up, looking past the group of 300lb armoured men who are given the single goal of hitting the quarterback as hard as they can, and he has to do this for long enough to find the right target for a pass. Quarterbacks who focus on the immediate threat of being sacked, rather than accepting the risk of being hit in order to look up and find the open receiver, do not have long term futures in the NFL.
Every day for information security staff contains dozens of distractions and every organisation faces an intimidating group of immediate “pass rusher” risks.
Threat actors backed by nation states. Organised criminals who learn from those actors and will be able to deliver that same capability next week. Executives who pay no attention until Target get hit by a data breach, and then want a report on their desk tomorrow reassuring them that their name won’t be next. Staff wanting to use their iPads – because the Directors are already using theirs. A security industry which accepts that breaches are a “when, not if” scenario and a wider world which refuses to accept this new reality. It’s enough to make the toughest quarterback blink.
Despite all of this – or perhaps because of all of this – information security staff need to have the courage to look downfield.
None of the big modern issues in information security can be solved by ad hoc fixes or (excuse the pun) by applying short-term patches to address a long-term problem. All of them require a programme of work over weeks or months to implement sustainable and proven controls rather than panicked “silver bullet” solutions.
And the “look downfield” culture needs to extend beyond information security; executives who manage business risk need to be told about security risks in the same language, and must deal with them as part of standard business management processes. Organisations must prepare for breaches in the same way as they prepare for exploding datacentres (disaster recovery) and global pandemic (business continuity) – as year-round issues which are not solved by new technology but which are mitigated by sensible, proportionate planning and investment. Businesses without adequate DR or BCP in place would be seen as negligent; businesses which do not plan for security breaches must come under the same pressure.
Security breaches will happen. Plan and prepare for the quarterback getting hit. Ensure that you’re able to get up and continue to look downfield. If your business is prepared for the inevitability of a security breach, with forensic readiness included in key systems and resource agreed for bringing in investigators immediately, the short-term impact of taking a hit will not take you out of the game.